Friday, January 27, 2012

unpackme-DFW_0x7d7.exe

MD5 - c97d934f77f8b17da73d9396f23ee024

This particular unpackme has a tampered tElock packing - I read about an effective and quick way to go about unpacking it a while back. Surprisingly, the same method works quite a few of the packers/protectors out there, so I thought it'd be nice to document it here.

Start off by using the executable with Excphook.exe and counting the number of exceptions raised. Load the executable into Olly, set a breakpoint on KiUserExceptionDispatcher and run the executable. F9 through the breakpoints, count number of times(where count is the number of exceptions you came across in Excphook.exe).

Remove the breakpoint on KiUserExceptionDispatcher, set another on the code section of your executable.


F9 and viola, you're at the OEP.

The very same method works with tELock 0.98 with all options enabled and it seems to work just fine.